Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-07-01 09:07:43

ntk
Contributor
Registered: 2015-05-24
Posts: 701

A collection of strange configuration for study ...

//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
    //    T5567WriteBlock(0x603E10E2,0);

I came across this configuration I am not sure how it would work on the real reader. Could you pls help me understand it better?

to ease the discussion we better use the sane doc ATA5577C,  found here: ATA5577C

Last edited by ntk (2017-07-06 20:55:39)

Offline

#2 2017-07-01 10:46:29

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: A collection of strange configuration for study ...

according to the author ""//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)"

Check up the Table 5-3. Block 0 Page 0  X mod– Configuration Mapping in X Mode we have 32 bits

b0 lock bit should be 0
b1..b4 master key could be 6 or 9 or neither
b9 .. b14 data bit rate
b15 must be 1 for extended mode
b16..b20 modulation
b21..b22 psk cf
b23 AOR
b24 OTP
b25..b27 max block
b28 PWD
b29 STT
b30 fast DL
b31 invers data
b32 init delay

So what we have here
hex 0x603E10E2 is 0110 0000 0011 1110 0001 0000 1110 0010
with bit 0 as lock bit =0 mapping is
0 0110 0000 001111 1 00001 00 0 0 111 0 0 0 1 0

What the author want is "Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)"....
bit 15 is 1
bit 31 is 1
modul bit are 00001
bit rate 001111

what does that mean for bit rate 001111. Accordiing to ATA table for  Xtended mode that is  RF/(2n+2),
n    n in 6 bit digit    RF/2n+2
0    000000    RF/2
1    000001    RF/4
3    000011    RF/8
7    000111    RF/16
15    001111    RF/32
19    010011    RF/40
24    011000    RF/50
31    011111    RF/64
49    110001    RF/100
63    111111    RF/128


ah, I understand now the trick is extended mode, and there is a bit0 added to the to binary converted HEX number. According to the table 5.3 there is a bit 0, then bit 1, bit 2 ... bit 32) so there are 33 bits we have check here not just map down the 32 bits coming from the converted result of the hex 0x603E10E2 which was 0110 0000 0011 1110 0001 0000 1110 0010.

You are correct Marschmellow. the author of indala code can use this config as an alternative configuration data block for indala tag with long UID

Last edited by ntk (2017-07-02 10:36:38)

Offline

#3 2017-07-01 10:49:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: A collection of strange configuration for study ...

Now for confirm there was this configuration,  in the past I thought it was wrong
0x603E0080

what is it for? Is this wrong or right?
0x603E0080, that in binary is 01100000000010000001000001000000

with b0 as lock bit =0, assuming it is a gain extended mode configuration block 0, then its mapping is
0 0110 0000 000010 0 00001 00 0 0 010 0 0 0 0 0

in the case of 0x603E0080, our b15 isn't 1 so it can't not be about an extended configuration.

What is it in basic configuration?

the author would like to emulate a tag RF/128, PSK-CF RF/2, direct modulation; 4 max data blcks, no PW no ST... What else can it be ?  rarely see a RF/128 bit rate but the rest seem to make sense. Is it what the author wanted?

I was noted down long ago. Today I know I could use lf t55xx det, trace, dump, to see its content... My note was: Repeating of two data blocks, hence I thought the configuration for 4 max data blocks was unnecessary, or mistaken.

Last edited by ntk (2017-07-02 10:53:46)

Offline

#4 2017-07-06 20:53:15

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: A collection of strange configuration for study ...

0x603E0080

0 0110 0000 001111 1 00000 00 0 0 100 0 0 0 0 0

bit15 =1 so X-tended mode; RF/32, Direct modulation, 4 data blocks, no inv

Last edited by ntk (2017-07-07 16:05:57)

Offline

#5 2017-07-06 21:47:30

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: A collection of strange configuration for study ...

60081040 extract from thread    DKS - DOORKING - 125khz - WHITE FOB

assuming this is an extended configuration
0 0110 0000 000010 0 00001 00 0 0 010 0 0 0 0 0
bit 15 = 0 so it can't be from X-mode configuration

If it is a basic configuration then RF/32; PSK1; 2 blocks; no PW, no invert, no STT

But why use 60081040 instead of just 00081040?

According to ATA5577C doc,
1. If the Master Key is 6 the test mode access is disabled
2. If the Master Key is neither 6 nor 9, the extended function mode and Init Delay are disabled
and if configuration in eX-mode, then
1. If the Master Key is 6 and bit 15 is set, the test mode access is disabled and the extended mode is active
2. If the Master Key is 9 and bit 15 is set, the extended mode is enabled
further
●Master key = 9: Test mode access and extended mode are both enabled.
● Master key = 6: Any test mode access will be denied but the extended mode is still enabled

Remarkable if the master key is set to 6, one need to remember something about a OPT bit (OTP == Off The Pist!?!?)
"If the OTP bit is set to 1, all memory blocks are write protected and behave as if all lock bits are set to 1. If, in addition, the
master key is set to 6, the Atmel ATA5577C mode of operation is locked forever (one-time-programming functionality).
If the master key is set to 9, test-mode access allows re-configuration of the tag."

Hummm, "allows re-configuration of the tag" What is the different?
Don't we many times re-configuration of a tag with master key code =0

Why should one make his life more miserable and set master key =6 to dis-able test mode? or remember to set MK=9 for reconfigure a tag?

Last edited by ntk (2017-07-06 22:01:49)

Offline

Board footer

Powered by FluxBB